AMIA and AHIMA Call for HIPAA Reforms

The American Medical Informatics Association (AMIA) and the American Health Information Management Association (AHIMA) have called for officials to reform the Health Insurance Portability and Accountability Act (HIPAA).

The calls for reform were made on Wednesday, December 5, 2018, at a Capitol Hill briefing session. In a discussion entitled “Unlocking Patient Data – Pulling the Linchpin of Data Exchange and Patient Empowerment,” leaders from AMIA and AHIMA joined other industry experts in a discussion about the impact federal policies are having on the ability of patients to access and use their health information.

Among other things, they discussed how reforms may be made to improve patients’ access to their health information, make health data more portable, and to better protect health data in the app ecosystem.

Under current laws, consumers across a wide range of industries have access to their personal information and can use that information to book travel, find out about prices of products and services from different providers, and conduct reviews and comparisons. Many industries have taken access to improve consumer access to their data, but it is widely regarded that the healthcare industry lags behind. This inertia has been blamed on many different factors, but HIPAA rules often face criticism for preventing facile adoption of new techniques and technologies that would potentially improve patient experience.

The AMIA’s recently submitted a response to a request for comments (RFC) by the National Telecommunications and Information Administration in which they urged the Trump administration to reform both HIPAA and the Common Rule, which deals with the protection of human subjects in research.

“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles,” said AMIA President and CEO Douglas B. Fridsma. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”

AHIMA CEO Wylecia Wiggs Harris said, “AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape… the language in HIPAA complicates these efforts in an electronic world.”

Both AMIA and AHIMA suggest HIPAA needs to be modernized to improve patient access to health data. As it was originally written in 1996, it is widely criticised for being out-of-date, particularly in relation to healthcare technology. The AMIA and AHIMA suggested two routes that may be taken to improve HIPAA. One option is the establishment of a new term – “Health Data Set” – that incorporates all data about a patient that is held by a HIPAA-covered entity or business associate, including clinical, biomedical, and claims information.

Alternatively, the definition of a Designated Record Set that is currently used in HIPAA legislation could be updated and for certified health IT to be required to provide that data set in electronic form and in a way that allows patients to use and reuse their data.

Either option would serve many benefits if it were adopted. For example, the first option would support a patient’s right to access their health data and also support the development of the ONC’s certification program in the future to allow patients to view, download, and electronically transmit their health data to third parties through an Application programming interface (API). The update to current record set definition would help to clarify rules for both providers and patients.

AMIA and AHIMA also support the extension of the HIPAA individual right of access and amendment to entities that are not covered by HIPAA but manage individual health data. This may include such as companies that develop mHealth (mobile health) apps and health social media applications. The risks of using these apps are understudied, but as their use becomes ubiquitous, urgent action is needed to ensure that their technical safeguards are up to industry standards and patient data is protected.

“Health Information management (HIM) professionals continue to struggle with the existing Office for Civil Rights guidance that enables third-party attorneys to request a patient’s PHI,” explained AHIMA’s Wylecia Wiggs Harris. “AHIMA members increasingly face instances in which an attorney forwards a request for PHI on behalf of the patient but lacks the information required to validate the identity of the patient. As a result, the HIM professional is challenged as to whether to treat it as an authorization or patient access request, which has HIPAA enforcement implications.”